Roadmap to the GDPR - Governance and Accountability

Governance and Accountability under the GDPR

November 2, 2016

Follow us: @AlstonPrivacy www.AlstonPrivacy.com 2

Speakers

Peter SwireSenior Counsel, Atlanta

Alston & Bird

Jan DhontPartner, Brussels

Alston & Bird

David KeatingPartner, Atlanta

Alston & Bird

Peter CullenExecutive Strategist

Information Accountability

Foundation


Overview

Program Introduction

Topic Overview

History and Context of Accountability | Why Does it (and Did it) Matter to Business?

Accountability under the GDPR | Practical Considerations

Where is the Accountability Trend heading?

Q&A


Topic Overview

-- Peter Swire --


History and Context of Accountability | Why Does it (and Did it) Matter to Business?

-- Peter Cullen


History of Accountability

1980 – OECD Privacy Guidelines

2000 – Canada Private Sector Privacy Legislation

2004 – APEC Privacy Framework

2009 – Essential Elements of Accountability (Global Accountability Dialogue)

2010 – EU Working Party 29 accountability opinion

2012 – Canadian guidance on accountability

2014 – Hong Kong guidance

2015 – Colombia guidance

2016 – EU General Data Protection Regulation


1. Corporate commitment to internal policies (codes of conduct) that link to external criteria – data protection law

2. Mechanisms to put those policies into effect, including identifying risk to individuals and mitigating those risks (privacy-by-design)

3. Internal monitoring to assure mechanisms work

4. Individual participation – transparency; consent (where effective)

5. Standing ready to demonstrate to a regulator on request and remediation where necessary

Essential Elements of Accountability


Accountability under the GDPR | Practical Considerations

-- Jan Dhont


GDPR’s Trinity of Effective Data Protection

Accountability

Enhanced Data Protection

Rights

Increased Enforcement and

Sanctions

Accountability is about Effective Data Protection

GDPR’s Trinity of Effective Data Protection

Controllers/Processors

Individuals Supervisory Authorities


Accountability

Embodies elements of the WP29 Opinion on Accountability (3/2010)

“Take appropriate and effective measures to implement data protection principles”

Need “to demonstrate upon request such appropriate and effective measures have been taken and provide evidence”

Measures are not defined by WP29 but scalable in function of risk

“The expected effects of [accountability] would include the implementation of internal measures and procedures putting into effect existing data protection principles, ensuring their effectiveness and the obligation to prove this should data protection authorities request it.”


Accountability under the GDPR

Article 24: “controller shall implement appropriate technical and organizational measures to ensure and be able to demonstrate that processing is performed in accordance with [the GDPR].” Review and update and measures “where necessary”

Appropriate data protection policies

Article 5 : “The controller shall be responsible for, and be able to demonstrate compliance with [principles relating to data processing]” (lawfulness, fairness and

transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality)

Non-compliance with the accountability principle is subject to maximum fines of 20 MM EUR or 4 percent of the turn-over of the undertaking, whichever is higher (Art 83 (5)).


“Accountability-Related” Measures

Data Privacy Impact Assessments for “high risk processing” (Art. 35)

implement data protection by design and by default (Art. 25)

Appoint a DPO in some cases (Art. 37)

Obligation to keep data processing records (Art. 30)

Specific requirements to demonstrate compliance with obligation to: track consent and demonstrate validity of consent (Art. 7)

provide information on action taken on requests relating to data subject rights (Art. 12)

document breaches and assessment that notification to Supervisory Authorities is not required (Art. 33 (5))

document “compelling legitimate interests” to reject the data subject’s objection to processing (Art. 21 (1))

assess and document safeguard measures for ad hoc data transfers (Art. 49 (1)(g)

provide instructions to data processors; these need to be “documented” (Art. 28 (3)(a))

Minimalist v. Maximalist Approach.


Accountability Requires Effective Privacy Program

Policies: Information practices must be covered by adequate policies reflecting GDPR obligations (e.g., HR, consumer/customer, vendor/supplier, IT & Info sec, breach response, data retention, online/offline)

Procedures: Accountability may require revision of processes and procedures to ensure effective implementation of policies (e.g., administration of rights, breach response, vendor management, audit protocols, access management, PIAs/DPIAs)

Controls: Effective/recurrent auditing and complaint handling

Documentation: Build system inventory; keep records required for provision to Supervisory Authorities; document (i) administration of rights, (ii) audit cycles and actions taken, (iii) complaint handling and follow-up, (iv) “accountability-related measures” (breach, consent, …)

Privacy by design/default

Accommodation of privacy rights

Information security

DPO

Staffing/Privacy Personnel

Awareness and training

Legal/Policy IT/System Personnel


Accountability Drives Need for Inventory

Process/System Inventory

- What data are we collecting?

- What is the purpose of collection?

- How are we processing the data?

- What is the legal basis for each processing operation?

- Where is the data stored?

- How long are we retaining the data?

- Who has access to the data?

- Where is the data transferred?

Feeds record productionController must maintain records of all processing including breaches – including

processing or breaches of service providers/vendors (Art. 30)

Provides overview of Policies and Procedures- Controller must implement appropriate & effective policies/processes (Art. 24)

- Controller must know legal bases for processing to comply with objection rules (Art. 15-22)- Notices must now disclose (a) legal bases for processing; (b) legitimate interests pursued; (c)

retention periods; and (d) transfer recipients (Art. 13-14)- Controllers need overview to decide if consent is required (art. 7)

Provides overview of effective governance and action areas- Capability to demonstrate compliance with core data privacy principles (Art. 5 (2))

- Privacy By Design/PIAs/Effective Vendor Management


Accountability Drives the Need for PIAs and DPIAs

PIAs are essential tool to ensure accountable data processing

Consider a “two-tier” approach PIAs for all information systems (as default/possible to include thresholds) DPIAs for “high risk” processing as required by the GDPR

PIAs can be instrumental to ensure basic understanding of core processes and related facts (storage

location, data flow, core purposes and functionalities, etc.) address privacy-by-design/default help achieve compliance with the general privacy principles ensure effective implementation of data subject rights address effective vendor management address information security confirm coverage by applicable policies/procedures/notices

PIAs can “feed” inventory as tool to create oversight

“High Risk Processing” includes inter alia:

- Automated decision-making, or profiling with significant effects

- Large scale sensitive data processing

Systematic monitoring of “a publicly accessible area on a large scale” (Art. 35)


Tips

- Provide for policies and procedures that establish criteria in advance for addressing compliance requirements and their operationalization

- Maximize documentation of actions that help demonstrate thoughtfulness and compliance, e.g.:- Interaction with individuals and feedback provided, for instance, in context of rights management- Complaint handling - Provision of notices- Audits conducted and subsequent compliance efforts- Vendor vetting

- Consider automation where possible, e.g.:- Rights managements (preference settings, means to access and rectify information, present notices, etc.)- Default PIA processes and documentation/escalation processes- Systems inventory and processing records

- Ensure timely action and handling of requests/complaints:- Controller must provide information on status of rights handling – feedback required within 1 month- Contain complaints and avoid escalation to Supervisory Authorities


Accountability for Processors

Processors are subject to “accountability-related” requirements:

- Records of processing activities under its responsibility” (Art. 30 (2))

- DPO appointment (Art. 37)

The market is expected drive accountability initiatives to build customer trust and secure commercial interests

Accountability obligations seem to apply primarily to controllers -- however:

Processors have direct liability under the GDPR and therefore should be in a position to demonstrate compliance with obligation to:

- provide for appropriate technical and organizational measures to ensure a level of security “appropriate to the risk” (Art. 32) - apply “flow down” provisions to sub-contractors (Art. 28(4))- inform controller of a data breach without “undue delay” after becoming aware (Art. 33)- appoint a representative in case of extra-territorial application (Art. 27)- ensure compliant transfer mechanism for export of personal data (Art. 44)

Processors must be contractually liable vis-à-vis controllers to “make available to the controller all information necessary to demonstrate compliance with the obligations in the data protection contract” (Art. 28 (3)(h))


CNIL Privacy Label Program

- Addresses accountability and sets forth key building blocks for a privacy program

- Provide for internal and external facing policies; ensure review at least every 3 year

- Central role of DPO – approval of policies, training and funding

- DPO must be involved in key projects

- Validation processes and risk assessments …


Accountability Tools

Certification programs (Art. 42)

Codes of conduct (Art. 40)

Binding Corporate Rules (Art. 47)

“Adherence to approved codes of conduct […] or approved certification mechanisms […] may be used as an element by which to demonstrate compliance with the obligations of the controller” (Art. 24 (3), stress added).


Robust Privacy Governance for BCRs

20

Privacy Governance Structure

Policy

Implementation

Effectiveness

GROUP’S GLOBAL PRIVACY POLICY

Control

AUDIT PROGRAM

EFFECTIVE COMPLIANCE MEASURES

PROCESSES & PROCEDURES

HR Data & Privacy

Policy

Vendor & Supplier Data

Privacy PolicyCustomer Data Privacy

Policy

0Privacy

Notices

Employee

Policies &

Confidentia

lity Clauses

Map Data

Processing

Activities &

Data Flows

IT

Security0 0Third Party

Relations 0 0Roles &

Responsibil

ities

Data

Quality/

Breach

Response

Training

& Testing

Complaint

& Reqest

Handling

Network

of Privacy

Officers &

Staff

Sanction

Mechanism

PIA &

Template

Contacts for

3rd Parties

Cooperation

with DPA’s

Internal and/or External Annual Audit Ad Hoc Investigations


Accountability and Liability

Accountability obligation to “demonstrate compliance” with data privacy principles is subject to maximum fines

A strong governance program is a factor that can be taken into account by the Supervisory Authorities when fining (Art. 83 (d))

A strong governance program will promote effective prevention, detection and handling of incidents

Supervisory Authorities may have “immediate cause of action” in case information is not provided upon request (WP 29, Opinion 3/2010)


Takeaways

Companies must be prepared to demonstrate compliance with each and every GDPR requirement

Focus not only on “accountability-related” measures, but consider a consistent privacy program that shows commitment to data privacy

Keep documentation on the effective administration of the program, showing that policies and procedures are not “dead matter”

Accountability helps to build trust and mitigate risk where full compliance may be quasi-impossible


Where is the Accountability Trend heading?

-- Peter Cullen

The explosion of data collection and use creates greater risk. Regulatory trends are growing faster than the controls in place to manage these risks.

24

Risk

Collection and Use of Information

Core product offering, limited PII

Core product offering, various PII plus personalization & consumer choice

Core product offering, various PII plus multiple data sources, analytics & personalization

Mergers, acquisitions, and new/updated consumer data collection, analytics and processing used to drive new products, new services, new personalization & insights, and increase in direct to consumer services

Data Collection & Use

Controls

Risk Gap

New Regulations

GDPRLegal Fair and Just

Public Expectations

Domestic/international regulatory & cultural changes

Increasing business complexity & data use

• Rapid changes in laws/standards across the world challenge pose compliance challenges

• Expansion of Regulatory approach and expectations into “fair and just” processing and use of data – broad range of rights and interests

• Public opinion is increasingly aware of privacy as a business issue

• Regulator scrutiny and authority is growing

• Increased focus on deriving new insights & opportunities through data

• New revenue streams based on data expand the business

• Expansion of use from PI to “all” data

• Growing risk profile associated with growing privacy-sensitive capabilities (IoT, Analytics, etc.)

As compliance obligations and regulatory scrutiny for privacy become more challenging for organizations, it’s increasingly important to promote the

development of effective, scalable and practical public policy to data privacy & governance obligations

Business Drivers Expanding the Risk Gap for Organizations


Business Risk

Data-driven innovation and the organizations that are dependent upon it are at risk from an information governance vacuum and how policy makers and regulators might fill it.

Put simply, the risk of having data and prohibitions on making innovative uses of that data is growing by the day and creating regulatory risk, customer trust risk and reticence risk; information will simply not be used because decision drivers are unclear.


Q&A

Thank you!

For more reading on privacy, see: http://www.alstonprivacy.com/


New York Webcast Participation

If you are requesting CLE credit in New York, please enter the following code on the Attorney Affirmation sheet. Refer to your webcast confirmation for a link to the sheet

[*]


About Alston & Bird’s Privacy and Data Security Practice:

Follow us: @AlstonPrivacy

www.AlstonPrivacy.com

Cybersecurity Preparedness & Response Team

Alston & Bird’s Cybersecurity Preparedness & Response Team specializes in assisting clients in

both preventing and responding to security incidents and data breaches, including all

varieties of network intrusion and data loss events.

www.alstonsecurity.com

Privacy & Data Security Team

Our team helps clients at every step of the information life cycle, from developing and

implementing corporate policies and procedures to representation on transactional

matters, public policy and legislative issues, and litigation.

www.alston.com/privacy

Questions

Documents

Roadmap to the GDPR - Governance and Accountability